/Code Review/IDOR via JWT Claim Manipulation

IDOR via JWT Claim Manipulation

Authorization bypass by modifying JWT claims when signature is not properly validated.

CRITICALHard

Vulnerable Codejavascript

1const jwt = require('jsonwebtoken');
2
3app.get('/api/admin/users', (req, res) => {
4    const token = req.headers.authorization?.split(' ')[1];
5    
6    // Decode without verification
7    const decoded = jwt.decode(token);
8    
9    if (decoded.role !== 'admin') {
10        return res.status(403).json({ error: 'Admin access required' });
11    }
12    
13    // Return all users
14    const users = db.users.find({});
15    res.json(users);
16});

Understanding the Issue

Using jwt.decode() instead of jwt.verify() allows attackers to modify token claims without detection. The "none" algorithm attack removes signature verification entirely.

JWT None Algorithm Attack

Modify JWT claims and remove signature

Malicious Input

Original: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiIxMjMiLCJyb2xlIjoidXNlciJ9.signature
Modified: eyJhbGciOiJub25lIn0.eyJ1c2VySWQiOiIxMjMiLCJyb2xlIjoiYWRtaW4ifQ.

Impact

Attacker gains admin access without valid credentials

Technical Details

Vulnerability Type: Broken Access Control / JWT Manipulation
Severity: CRITICAL
Language: Javascript
CWE: CWE-639
OWASP: A01:2021 - Broken Access Control

IDOR via JWT Claim Manipulation

Understanding the Issue

How Attackers Exploit This

JWT None Algorithm Attack

Finding the Vulnerability(3 hints)

Technical Details

IDOR via JWT Claim Manipulation

Understanding the Issue

How Attackers Exploit This

JWT None Algorithm Attack

Finding the Vulnerability(3 hints)

Technical Details